Firefox 45 Patches 22 Critical Vulnerabilities

Mozilla this week released the stable version of Firefox 45 to resolve 40 vulnerabilities in the browser, 22 of which are rated Critical.

The update patches flaws in multiple browser components, the most affected being the Graphite 2 library, which was impacted by 14 Critical bugs. Other Critical vulnerabilities were found in NSS, XML transformations, SetBody, HTML5 string parser, Service Worker Manager, and WebRTC data channels.

In February, Graphite 2 was updated to version 1.3.5 to resolve four issues that could result in arbitrary code execution and denial-of-service (DoS) attacks. The update arrived in Firefox 44.0.2, which was released roughly two weeks after Firefox 44 landed in the stable channel with push notifications and deprecated support for RC4.

One of the issues resolved in the library with the new update was an out-of-bounds write when loading a crafted Graphite font file (CVE-2016-1969). The issue was resolved in Graphite 2 version 1.3.6, which also patches 11 heap buffer overflow bugs, along with two uninitialized memory flaws (CVE-2016-2790 and CVE-2016-2795), and an out of bounds bit set issue (CVE-2016-1977), Mozilla revealed.

Another Critical issue resolved in Firefox 45 (and Firefox ESR 38.7) was a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures, which could result in arbitrary code execution (CVE-2016-1950). A use-after-free during XML transformation operations issue was also patched in this release (CVE-2016-1964).

Firefox 45 also patches a Critical use-after-free issue when using multiple WebRTC data channel connections (CVE-2016-1962), a use-after-free issue in the SetBody function of HTMLDocument (CVE-2016-1961), a use-after-free issue in the HTML5 string parser (CVE-2016-1960), a mechanism where the Clients API in Service Workers can be used to trigger an out-of-bounds read in ServiceWorkerManager (CVE-2016-1959), and memory safety bugs in the browser engine (CVE-2016-1952 and CVE-2016-1953).

The browser update also resolves 7 vulnerabilities rated High risk, including a use-after-free vulnerability while processing DER encoded keys in the NSS libraries (CVE-2016-1979), an out-of-bounds read following a failed allocation in the HTML parser (CVE-2016-1974), a use-after-free in GetStaticInstance in WebRTC (CVE-2016-1973), a memory corruption with malicious NPAPI plugin (CVE-2016-1966), and a buffer overflow in Brotli decompression (CVE-2016-1968).

Mozilla also resolved a variant of a same origin flaw that was patched in Firefox 43, which made it possible to read cross-origin URLs following a redirect if performance.getEntries() was used along with an iframe to host a page. The new bug allowed for the same attack to be performed if a browser session was restored, because content was restored from the browser cache (CVE-2016-1967).

It was also discovered that a malicious page can overwrite files on the user's machine using Content Security Policy (CSP) violation reports, which could result in privilege escalation (CVE-2016-1954). The issue is resolved in Firefox 45 and Firefox ESR 38.7.

Firefox 45 also addresses 10 Moderate risk flaws in the browser, including five WebRTC (an integer underflow, a missing status check, race condition, and a use of deleted pointers to create new object) and LibVPX vulnerabilities (race condition) that affect only Windows users. Except for a Linux video memory denial of service (DOS) with Intel drivers, the other issues impact all platforms, Mozilla said.

The new browser version also patches a memory leak in the libstagefright library when array destruction occurs during MPEG4 video file processing (CVE-2016-1957). The flaw is rated Low risk, and doesn’t appear to be related to the Critical vulnerabilities discovered in Android’s libstagefright library last year.

Firefox 45 is available for download for Windows, Mac, Linux, and Android users and brings along various improvements and new features as well, in addition to the aforementioned security patches.

On Tuesday, Google pushed a new set of security patches to its Chrome browser, although it released Chrome 49 in the stable channel only last week. The latest Chrome release (version 49.0.2623.87) resolved three High risk vulnerabilities, while last week’s iteration (version 49.0.2623.75) resolved 26 security holes, 8 of which were High risk.